Cafe Arcane

A cozy, caffeinated corner of the web

Are you a porn spammer?

by ·

With the advent of yet another trojan program, some internet users may unwittingly find themselves spamming their fellow surfers with pornographic spam mail. Then again, they might not even know.

Trojan program uses PCs to relay porn (NewScientist news service)

A computer program that hijacks the personal computers of ordinary home users in order to pass on pornographic web pages has been discovered by US researchers.

The program was discovered by independent computer expert Richard M Smith, who was investigating claims of an internet payment scam.

Analysis of the program, dubbed Migmaf, shows that it can turn a home PC into a temporary relay for adult web pages and unsolicited “spam” email. So far 2000 computers have been detected carrying the rogue code, a relatively small number. But experts warn that the discovery reflects a disturbing new trend.

“Generally we’ve seen an increase in the number of Trojans horses exploiting home computers and opening backdoors,” says Graham Cluley, chief researcher at UK anti-virus company Sophos. In June a computer virus was found to convert home PCs into “open mail relays” that spammers use to forward their email.

“With this kind of open scheme it’s hard for us to predict what a Trojan will do,” Cluley told New Scientist. “Whether they use you as a middle man for pornographers or for sending spam is up to them.”

Master server

US computer security firm Lurhq has analysed a copy of Migmaf taken from an infected computer. This shows that the Trojan routes traffic for adult sites hosted on a master server via the infected computers.

The owner of the master server redirects requests through the hijacked machines by updating the website’s domain name system (DNS) settings. These settings translate a domain name, such as www.google.com, into an internet protocol (IP) address, such as 216.239.37.100. Altering the settings links the IP address of the infected machine to the pornographic website’s domain name.

Migmaf tries to keep the identity of its master server secret by scrambling its IP address. The Lurhq analysis says: “It is impossible for the [average] user to tell the actual IP address of the master server, giving the spammer’s real site refuge from being shut down by his ISP.”

However Lurhq has traced the master server to a US-based ISP called Everyones Internet. The company has now launched an investigation.

Instant messaging

It is not yet clear how the program is uploaded to computers. But experts suspect that it may be forwarded by an email computer virus or spread through file-sharing networks such as Kaazaa and Grokster.

A large number of infected machines have been found to belong to AOL customers perhaps indicating that the file is spread through AOL instant messaging. Most anti-virus software companies have now issued updates to combat the program.

The program analysed by Lurhq’s was found to have been recently updated, indicating that its creator is working to improve its functionality. Also, Migmaf disables itself when it detects that the infected machine has a Russian keyboard, possibly hinting at the origin of the program.

More Information:

http://www.symantec.com/avcenter/venc/data/backdoor.migmaf.html

Tags:

You may also like...

Leave a Reply